Merge pull request #60 from richm/es-copy

Allow fluentd to send copies of logs to another Elasticsearch

Author: ewolinetz

README.md

@@ -223,6 +223,42 @@ Mount the created secret to your Fluentd container
 oc volumes dc/logging-fluentd --add --type=secret --secret-name=fluentd-throttle --mount-path=/etc/throttle-settings --name=throttle-settings --overwrite
 ```
 
+## Have Fluentd send logs to another Elasticsearch
+
+You can configure Fluentd to send a copy of each log message to both the
+Elasticsearch instance included with OpenShift aggregated logging, _and_ to an
+external Elasticsearch instance.  For example, if you already have an
+Elasticsearch instance set up for auditing purposes, or data warehousing, you
+can send a copy of each log message to that Elasticsearch, in addition to the
+the Elasticsearch hosted with OpenShift aggregated logging.
+
+If the environment variable `ES_COPY` is `"true"`, Fluentd will send a copy of
+the logs to another Elasticsearch. The settings for the copy are just like the
+current `ES_HOST`, etc. and `OPS_HOST`, etc. settings, except that they add
+`_COPY`: `ES_COPY_HOST`, `OPS_COPY_HOST`, etc.  There are some additional
+parameters added:
+* `ES_COPY_SCHEME`, `OPS_COPY_SCHEME` - can use either http or https - defaults
+  to https
+* `ES_COPY_USERNAME`, `OPS_COPY_USERNAME` - user name to use to authenticate to
+  elasticsearch using username/password auth
+* `ES_COPY_PASSWORD`, `OPS_COPY_PASSWORD` - password to use to authenticate to
+  elasticsearch using username/password auth
+
+To set the parameters::
+
+    oc edit -n logging template logging-fluentd-template
+    # add/edit ES_COPY to have the value "true" - with the quotes
+    # add or edit the COPY parameters listed above
+    # automated:
+    #   oc get -n logging template logging-fluentd-template -o yaml > file
+    #   edit the file with sed/perl/whatever
+    #   oc replace -n logging -f file
+    oc delete daemonset logging-fluentd
+    # wait for fluentd to stop
+    oc process -n logging logging-fluentd-template | \
+      oc create -n logging -f -
+    # this creates the daemonset and starts fluentd with the new params
+
 ## Upgrading your EFK stack
 
 If you need to upgrade your EFK stack with new images, you'll need to take the

deployment/templates/fluentd.yaml

@@ -86,6 +86,40 @@ objects:
               value: ${OPS_CLIENT_KEY}
             - name: "OPS_CA"
               value: ${OPS_CA}
+            - name: "ES_COPY"
+              value: ${ES_COPY}
+            - name: "ES_COPY_HOST"
+              value: ${ES_COPY_HOST}
+            - name: "ES_COPY_PORT"
+              value: ${ES_COPY_PORT}
+            - name: "ES_COPY_SCHEME"
+              value: ${ES_COPY_SCHEME}
+            - name: "ES_COPY_CLIENT_CERT"
+              value: ${ES_COPY_CLIENT_CERT}
+            - name: "ES_COPY_CLIENT_KEY"
+              value: ${ES_COPY_CLIENT_KEY}
+            - name: "ES_COPY_CA"
+              value: ${ES_COPY_CA}
+            - name: "ES_COPY_USERNAME"
+              value: ${ES_COPY_USERNAME}
+            - name: "ES_COPY_PASSWORD"
+              value: ${ES_COPY_PASSWORD}
+            - name: "OPS_COPY_HOST"
+              value: ${OPS_COPY_HOST}
+            - name: "OPS_COPY_PORT"
+              value: ${OPS_COPY_PORT}
+            - name: "OPS_COPY_SCHEME"
+              value: ${OPS_COPY_SCHEME}
+            - name: "OPS_COPY_CLIENT_CERT"
+              value: ${OPS_COPY_CLIENT_CERT}
+            - name: "OPS_COPY_CLIENT_KEY"
+              value: ${OPS_COPY_CLIENT_KEY}
+            - name: "OPS_COPY_CA"
+              value: ${OPS_COPY_CA}
+            - name: "OPS_COPY_USERNAME"
+              value: ${OPS_COPY_USERNAME}
+            - name: "OPS_COPY_PASSWORD"
+              value: ${OPS_COPY_PASSWORD}
           volumes:
           - name: varlog
             hostPath:
@@ -121,7 +155,7 @@ parameters:
   name: ES_CLIENT_KEY
   value: "/etc/fluent/keys/key"
 -
-  description: "Location of CA cert for validating connectiong to ElasticSearch to write logs"
+  description: "Location of CA cert for validating connection to ElasticSearch to write logs"
   name: ES_CA
   value: "/etc/fluent/keys/ca"
 -
@@ -141,7 +175,7 @@ parameters:
   name: OPS_CLIENT_KEY
   value: "/etc/fluent/keys/key"
 -
-  description: "Location of CA cert for validating connectiong to ElasticSearch to write cluster logs"
+  description: "Location of CA cert for validating connection to ElasticSearch to write cluster logs"
   name: OPS_CA
   value: "/etc/fluent/keys/ca"
 -
@@ -152,3 +186,71 @@ parameters:
   description: "The image version for the Fluentd image to use"
   name: IMAGE_VERSION
   value: ""
+-
+  description: "Send a copy of the logs to an additional Elasticsearch instance."
+  name: ES_COPY
+  value: "false"
+-
+  description: "Hostname (or IP) for additional ElasticSearch"
+  name: ES_COPY_HOST
+  value: ""
+-
+  description: "Port number for additional ElasticSearch"
+  name: ES_COPY_PORT
+  value: ""
+-
+  description: "URL scheme for additional ElasticSearch - http or https - default is https"
+  name: ES_COPY_SCHEME
+  value: "https"
+-
+  description: "Location of client certificate for authenticating to additional ElasticSearch"
+  name: ES_COPY_CLIENT_CERT
+  value: ""
+-
+  description: "Location of client key for authenticating to additional ElasticSearch"
+  name: ES_COPY_CLIENT_KEY
+  value: ""
+-
+  description: "Location of CA cert for validating connection to additional ElasticSearch"
+  name: ES_COPY_CA
+  value: ""
+-
+  description: "Username for username/password auth to connection to additional ElasticSearch"
+  name: ES_COPY_USERNAME
+  value: ""
+-
+  description: "Password for username/password auth to connection to additional ElasticSearch"
+  name: ES_COPY_PASSWORD
+  value: ""
+-
+  description: "Hostname (or IP) for additional ElasticSearch to write cluster logs"
+  name: OPS_COPY_HOST
+  value: ""
+-
+  description: "Port number for additional ElasticSearch to write cluster logs"
+  name: OPS_COPY_PORT
+  value: ""
+-
+  description: "URL scheme for additional ElasticSearch to write cluster logs - http or https - default is https"
+  name: OPS_COPY_SCHEME
+  value: "https"
+-
+  description: "Location of client certificate for authenticating to additional ElasticSearch to write cluster logs"
+  name: OPS_COPY_CLIENT_CERT
+  value: ""
+-
+  description: "Location of client key for authenticating to additional ElasticSearch to write cluster logs"
+  name: OPS_COPY_CLIENT_KEY
+  value: ""
+-
+  description: "Location of CA cert for validating connectiong to additional ElasticSearch to write cluster logs"
+  name: OPS_COPY_CA
+  value: ""
+-
+  description: "Username for username/password auth to connection to additional ElasticSearch to write cluster logs"
+  name: OPS_COPY_USERNAME
+  value: ""
+-
+  description: "Password for username/password auth to connection to additional ElasticSearch to write cluster logs"
+  name: OPS_COPY_PASSWORD
+  value: ""

fluentd/Dockerfile

@@ -28,7 +28,9 @@ RUN rpmkeys --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 && \
 
 ADD fluent.conf /etc/fluent/fluent.conf
 ADD configs.d/ /etc/fluent/configs.d/
-ADD run.sh generate_throttle_configs.rb ${HOME}/
+ADD run.sh generate_throttle_configs.rb \
+    fluentd_es_copy_config.conf fluentd_es_ops_copy_config.conf \
+    ${HOME}/
 
 WORKDIR ${HOME}
 

fluentd/configs.d/output/applications.conf

@@ -1,17 +1,5 @@
 <match **>
-   @type elasticsearch_dynamic
-   host "#{ENV['ES_HOST']}"
-   port "#{ENV['ES_PORT']}"
-   scheme https
-   index_name ${record['kubernetes_namespace_name']}.${Time.at(time).getutc.strftime(@logstash_dateformat)}
-   user fluentd
-   password changeme
-
-   client_key "#{ENV['ES_CLIENT_KEY']}"
-   client_cert "#{ENV['ES_CLIENT_CERT']}"
-   ca_file "#{ENV['ES_CA']}"
-     
-   flush_interval 5s
-   max_retry_wait 300
-   disable_retry_limit
+   @type copy
+   @include fluentd_es_config.conf
+   @include fluentd_es_copy_config.conf
 </match>

fluentd/configs.d/output/fluentd_es_config.conf

@@ -0,0 +1,17 @@
+    <store>
+      @type elasticsearch_dynamic
+      host "#{ENV['ES_HOST']}"
+      port "#{ENV['ES_PORT']}"
+      scheme https
+      index_name ${record['kubernetes_namespace_name']}.${Time.at(time).getutc.strftime(@logstash_dateformat)}
+      user fluentd
+      password changeme
+
+      client_key "#{ENV['ES_CLIENT_KEY']}"
+      client_cert "#{ENV['ES_CLIENT_CERT']}"
+      ca_file "#{ENV['ES_CA']}"
+
+      flush_interval 5s
+      max_retry_wait 300
+      disable_retry_limit
+    </store>

fluentd/configs.d/output/fluentd_es_ops_config.conf

@@ -0,0 +1,17 @@
+    <store>
+      @type elasticsearch_dynamic
+      host "#{ENV['OPS_HOST']}"
+      port "#{ENV['OPS_PORT']}"
+      scheme https
+      index_name .operations.${record['time'].nil? ? Time.at(time).getutc.strftime(@logstash_dateformat) : Time.parse(record['time']).getutc.strftime(@logstash_dateformat)}
+      user fluentd
+      password changeme
+
+      client_key "#{ENV['OPS_CLIENT_KEY']}"
+      client_cert "#{ENV['OPS_CLIENT_CERT']}"
+      ca_file "#{ENV['OPS_CA']}"
+
+      flush_interval 5s
+      max_retry_wait 300
+      disable_retry_limit
+    </store>

fluentd/configs.d/output/operations.conf

@@ -1,18 +1,5 @@
 <match system.var.log** **_default_** **_openshift_** **_openshift-infra_**>
-  @type elasticsearch_dynamic
-  host "#{ENV['OPS_HOST']}"
-  port "#{ENV['OPS_PORT']}"
-  scheme https
-  index_name .operations.${record['time'].nil? ? Time.at(time).getutc.strftime(@logstash_dateformat) : Time.parse(record['time']).getutc.strftime(@logstash_dateformat)}
-
-  user fluentd
-  password changeme
-
-  client_key "#{ENV['OPS_CLIENT_KEY']}"
-  client_cert "#{ENV['OPS_CLIENT_CERT']}"
-  ca_file "#{ENV['OPS_CA']}"
-
-  flush_interval 5s
-  max_retry_wait 300
-  disable_retry_limit
+  @type copy
+  @include fluentd_es_ops_config.conf
+  @include fluentd_es_ops_copy_config.conf
 </match>

fluentd/fluentd_es_copy_config.conf

@@ -0,0 +1,17 @@
+    <store>
+      @type elasticsearch_dynamic
+      host "#{ENV['ES_COPY_HOST']}"
+      port "#{ENV['ES_COPY_PORT']}"
+      scheme "#{ENV['ES_COPY_SCHEME']}"
+      index_name ${record['kubernetes_namespace_name']}.${Time.at(time).getutc.strftime(@logstash_dateformat)}
+      user "#{ENV['ES_COPY_USERNAME']}"
+      password "#{ENV['ES_COPY_PASSWORD']}"
+
+      client_key "#{ENV['ES_COPY_CLIENT_KEY']}"
+      client_cert "#{ENV['ES_COPY_CLIENT_CERT']}"
+      ca_file "#{ENV['ES_COPY_CA']}"
+
+      flush_interval 5s
+      max_retry_wait 300
+      disable_retry_limit
+    </store>

fluentd/fluentd_es_ops_copy_config.conf

@@ -0,0 +1,17 @@
+    <store>
+      @type elasticsearch_dynamic
+      host "#{ENV['OPS_COPY_HOST']}"
+      port "#{ENV['OPS_COPY_PORT']}"
+      scheme "#{ENV['OPS_COPY_SCHEME']}"
+      index_name .operations.${record['time'].nil? ? Time.at(time).getutc.strftime(@logstash_dateformat) : Time.parse(record['time']).getutc.strftime(@logstash_dateformat)}
+      user "#{ENV['OPS_COPY_USERNAME']}"
+      password "#{ENV['OPS_COPY_PASSWORD']}"
+
+      client_key "#{ENV['OPS_COPY_CLIENT_KEY']}"
+      client_cert "#{ENV['OPS_COPY_CLIENT_CERT']}"
+      ca_file "#{ENV['OPS_COPY_CA']}"
+
+      flush_interval 5s
+      max_retry_wait 300
+      disable_retry_limit
+    </store>

fluentd/run.sh

@@ -1,12 +1,41 @@
+#!/bin/bash
+
 if [[ $VERBOSE ]]; then
   set -ex
+  fluentdargs="-vv"
 else
   set -e
+  fluentdargs=  
 fi
 
-mkdir -p /etc/fluent/configs.d/input/docker
-mkdir -p /etc/fluent/configs.d/input/syslog
+OPS_COPY_HOST="${OPS_COPY_HOST:-$ES_COPY_HOST}"
+OPS_COPY_PORT="${OPS_COPY_PORT:-$ES_COPY_PORT}"
+OPS_COPY_SCHEME="${OPS_COPY_SCHEME:-$ES_COPY_SCHEME}"
+OPS_COPY_CLIENT_CERT="${OPS_COPY_CLIENT_CERT:-$ES_COPY_CLIENT_CERT}"
+OPS_COPY_CLIENT_KEY="${OPS_COPY_CLIENT_KEY:-$ES_COPY_CLIENT_KEY}"
+OPS_COPY_CA="${OPS_COPY_CA:-$ES_COPY_CA}"
+OPS_COPY_USERNAME="${OPS_COPY_USERNAME:-$ES_COPY_USERNAME}"
+OPS_COPY_PASSWORD="${OPS_COPY_PASSWORD:-$ES_COPY_PASSWORD}"
+export OPS_COPY_HOST OPS_COPY_PORT OPS_COPY_SCHEME OPS_COPY_CLIENT_CERT \
+       OPS_COPY_CLIENT_KEY OPS_COPY_CA OPS_COPY_USERNAME OPS_COPY_PASSWORD
+
+CFG_IN_DIR=/etc/fluent/configs.d/input
+CFG_OUT_DIR=/etc/fluent/configs.d/output
+
+mkdir -p $CFG_IN_DIR/docker
+mkdir -p $CFG_IN_DIR/syslog
 
 ruby generate_throttle_configs.rb
 
-fluentd
+if [ "$ES_COPY" = "true" ] ; then
+    # user wants to split the output of fluentd into two different elasticsearch
+    # user will provide the necessary COPY environment variables as above
+    cp $HOME/fluentd_es_copy_config.conf $HOME/fluentd_es_ops_copy_config.conf $CFG_OUT_DIR
+else
+    # create empty files for the ES copy config
+    rm -f $CFG_OUT_DIR/fluentd_es_copy_config.conf $CFG_OUT_DIR/fluentd_es_ops_copy_config.conf
+    touch $CFG_OUT_DIR/fluentd_es_copy_config.conf $CFG_OUT_DIR/fluentd_es_ops_copy_config.conf
+fi
+
+
+fluentd $fluentdargs